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Art Unit: 2155 



DETAILED ACTION 



Claims 3, 5-26, 31-43, 49-63, 67-93 and 96-107 are pending. 



A collective statement of motivation for combination concludes each section of the 



rejection. 



Claim Rejections - 35 USC § 103 



3. The text of those sections of Title 35, U.S. Code 103(a) not included in this action can be 
found in a prior Office action. 

4. Claims 3, 5-6, 13-14, 23, 25, 31-32, 35-38, 49-54, 56-62, 67-74, 77, 79- 85, 87-93, 101- 
102, 104 and 106 are rejected under 35 U.S.C. 103(a) as being unpatentable over Bjorn N. 
Freeman-Benson /'Using the Web to Provide Private Information -or- A Short Paper About 
Password Protection Without Client Modifications" (hereafter referred to as Freeman-Benson) in 
view of Johnson et al., U.S. Patent No. 5,560,008 (hereafter referred to as Johnson). 

5. Regarding claim 3, Freeman-Benson taught a method of processing service requests from 
a client to a server system through a network comprising: 

forwarding a service request from the client to the server system, wherein the 
communications between the client and server system are according to hypertext transport 
protocol (para 11, pgs 2-3); 
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returning a session identifier from the server system to the client (returning specialized 
URL, para 16, pg 3); and 

the session identifier appended to subsequent service requests from the client to the server 
system within a session of requests (paras 12, 16, pg 3). 

Freeman-Benson does not specifically teach appending a session identifier to service 
requests. However, Johnson taught appending a session identifier to subsequent service requests 
(col. 5, line 66 - col. 6, line 2, inserting following each request, col. 9, lines 33-39). 

6. Regarding dependent claim 5, Johnson taught the session identifier (credential id) 
includes a user identifier (col. 5, lines 56-60). 

7. Regarding dependent claim 6, Freeman-Benson does not specifically disclose wherein the 
session identifier (credential id) includes an expiration time for the session. However, Johnson 
does disclose that the authentication is valid within an expiration time (col. 6, lines 38-43, 51- 
54). It would have been obvious to one of ordinary skill in the art at the time the invention was 
made to include the expiration time in the session id because doing so would improve efficiency 
by not requiring the server to request the expiration time before validating the session identifier 
(credential id). 

8. Regarding dependent claim 13, Johnson taught the server system assigns the session 
identifier (credential id) to an initial service request to the server system (if credential id not 
included in request, col. 6, lines 1 1-14, 31-34). 
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9. Regarding dependent claim 14, Johnson taught the server system subjects the client to an 
authorization routine prior to issuing the session identifier (credential id) and the session 
identifier (credential id) is protected from forgery (col. 6, lines 31-36, 47-50). 

10. Regarding dependent claim 23, Johnson the access rights of the client are fully contained 
within the session identifier (col. 8, lines 32-38). 

1 1 . Regarding dependent claim 25, Freeman-Benson taught a service request is for a 
document which has been purchased by the user (access to the private database is purchased, 
paragraph 2). Johnson taught the session identifier comprises an authorization identifier 
(privilege field), and further comprising: 

returning the requested document if the authorization identifier indicates that the user is 
authorized to access the document (col. 8, lines 15-22). 

12. Regarding dependent claim 3 1 , Freeman -Benson taught at least one service request 
comprises a document request for a document (search request, para 1 1 , pg 2) which has been 
purchased by a user (user charged for access to private database, para 2, pg 1). Johnson taught the 
steps of: 

appending an authorization identifier to the request (inserting credential id including 
privilege field, col. 5, line 66 - col. 6, line 2, col. 9, lines 33-39); and 

returning the requested document if the authorization identifier indicates the user is 
authorized to access the document (col. 7, lines 46-53, col. 8, lines 18-22). 
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13. Regarding dependent claim 32, Johnson taught the authorization identifier is encoded 
within a session identifier which is appended to the requested (col. 9, lines 6-16). 

14. Regarding claim 35, Freeman-Benson taught an information system on a network, 
comprising: 

means for receiving service requests from client and for determining whether a service 
request includes a session identifier wherein communications to and from the clients are 
according to hypertext transfer protocol (para 19, pg 4); 

means for providing the session identifier in response to an initial service request in a 
session of requests (para 1 1, pgs 2-3); and 

means for providing the session identifier in response to an initial service request in a 
session of requests (para 12, pg 3); and 

means for servicing service request from a client which include the session identifier 
(paras 20-21, pg 4). Freeman-Benson does not specifically teach subsequent service request 
being processed in the session. However, Johnson taught subsequent service request being 
processed in the session (col. 6, lines 41-45). It would have been obvious to one of ordinary skill 
in the art at the time the invention was made that incorporating Johnson's subsequent service 
request being processed in the session in Freeman-Benson's system for accessing a private web 
database would have improved system efficiency. The motivation would have been to enable the 
web server to limit the validity of the session identifier to a length of time, i.e. corresponding to a 
session, and thereby improve system security. 
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15. Regarding dependent claim 36, Johnson taught the access rights of the client are fully 
contained within the session identifier (col. 8, lines 32-38). 

16. Regarding dependent claim 37, Freeman-Benson taught the means for providing the 
session identifier is in a server system which services the requests (para 11, pgs 2-3, web server 
in system with several nodes, paras 19-21, pg 4). 

1 7. Regarding dependent claim 49, Freeman-Benson taught the session identifier is 
cryptographically generated (encrypted version of login name and password appended to URL, 
para 9, pg 2). 

1 8. Regarding dependent claim 50, Johnson taught further comprising: 

returning a REDIRECT to the client (client authentication agent constructs credentials), the 
REDIRECT including a locator for an authentication server (redirect the client request to 
authentication agent), the authentication server providing the session identifier (authentication 
agent of server providing credential id, col. 9, lines 45-52). 

19. Regarding dependent claim 51, Freeman-Benson taught wherein the session identifier is 
appended to at least one path name in a document returned by the server system (encrypted 
version of login name and password appended to URL, para 9, pg 2). 

20. Regarding dependent claim 52, Freeman-Benson taught the at least one path name is a 
link in the returned document (appended to URL, para 8, pg 2). 

21 . Regarding dependent claim 53, Freeman-Benson taught the link is an absolute link (URL 
with designated path name, para 8, pg. 2). 
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22. Regarding dependent claim 54, Freeman-Benson taught the link comprises a uniform 
resource locator (special URL, para 9, pg 2). 

23. Regarding dependent claim 56, Freeman-Benson taught the session identifier is 
crypto graphically generated (encrypted version of login name and password appended to URL, 
para 9, pg 2). 

24. Regarding dependent claim 57, Johnson taught the session identifier is directed to an 
accessible domain (group set field, col. 8, lines 14-15). 

25. Regarding dependent claim 58, Freeman-Benson does not specifically disclose wherein 
the session identifier (credential id) includes an expiration time for the session. However, 
Johnson does disclose that the authentication is valid within an expiration time (col. 6, lines 38- 
43, 51-54). It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to include the expiration time in the session id because doing so would improve 
efficiency by not requiring the server to request the expiration time before validating the session 
identifier (credential id). 

26. Regarding dependent claim 59, Johnson taught the session identifier comprises a date 
(col. 6, lines 41-45). 

27. Regarding dependent claim 60, Johnson taught the session identifier comprises a key 
identifier (index, col. 8, lines 8-9). 

28. Regarding dependent claim 61, Johnson taught the session identifier comprises an 
address of the client (location of user in group id, col. 8, lines 11-12). 
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29. Regarding dependent claim 62, Johnson taught the session identifier comprises an 
unforgeable digital signature (col. 9, lines 16-20). 

30. Regarding dependent claim 67, Freeman-Benson taught the session identifier is 
designated by the server system (session identifier returned in link, para 1 1, pgs 2-3), further 
comprising the steps of: 

validating, at the server system, the appended session identifier (KeyVerifierNode 
validating encrypted portion of special URL, para 21, pg 4); 

returning a controlled document if the appended session identifier is valid (returning the 
document, para 19, pg 4). 

3 1 . Regarding claim 79, Freeman-Benson taught a method of processing service requests 
from a client to a server system through a network, 

forwarding the service request from the client to the server system, wherein the 
communications between the client and server system are according to hypertext transfer 
protocol (para 1 1 , pgs 2-3); 

returning a session identifier from the server system to the client (returning specialized 
URL, para 16, pg 3); 

appended as part of a path name in a uniform resource locator the session identifier to 
subsequent service requests from the client to the service system within a session requests (paras 



12,16, pg3). 
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Freeman-Benson does not specifically teach appended as part of a path name in a uniform 
resource locator the session identifier to subsequent service requests. However, Johnson taught 
appending the session identifier to subsequent service requests (col. 5, line 66 - col. 6, line 2, 
inserting, col. 9, lines 33-39). 

32. Regarding dependent claim 101, Johnson taught the session identifier is appended by the 
client (col. 9, lines 33-39). 

33. Regarding dependent claim 102, Freeman-Benson taught the session identifier is 
cryptographically generated (encrypted version of login name and password appended to URL, 
para 9, pg 2). 

34. Regarding dependent claim 104, Freeman-Benson taught the document is returned 
electronically (inherent, web server returning document requested by URL, para 19, pg 4). 

35. Regarding dependent claim 106, Freeman-Benson taught the authorization identifier is 
appended to a uniform resource locator (specialized URL, para 8, pg. 2). 

36. Regarding the motivation for claims 1 and 79, it would have been obvious to one of 
ordinary skill in the art at the time the invention was made that substituting Johnson's appending 
a session identifier to subsequent request in Freeman-Benson's system for accessing a private 
web database would have improved system effectiveness. The motivation would have been to 
improve upon Freeman-Benson method of authentication by incorporating authorization. 
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37. Claims 7-12, 24-26, 33-34, 39-43, 55, 76, 78 and 86 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Freeman-Benson and Johnson further in view of Filepp et al., U.S. 
Patent No. 5,347,632 (hereafter referred to as Filepp). 

38. Regarding dependent claim 7, Freeman-Benson does not specifically teach the server 
system recording a transaction log. However, Filepp taught a method wherein the server system 
records information in a transaction log in the server system (col. 9, lines 38-44). 

39. Regarding dependent claim 8, Freeman-Benson does not specifically teach the server 
tracking the access history of the session. However, Filepp taught a server system that tracks the 
access history of sequences of service requests within a session of requests (col. 9, lines 38-44). 

40. Regarding dependent claim 9, Freeman-Benson does not specifically teach the server 
system tracking the access history to determine requests leading to purchases. However, Filepp 
taught the server system tracking the access history to determine requests leading to purchases 
(col. 93, lines 27-43). 

41 . Regarding dependent claim 10, Freeman-Benson does not specifically teach a server 
system counting the requests. However, Filepp taught a server system counts requests to 
particular services exclusive of repeated requests from a common client (col. 9, lines 41-44). 

42. Regarding dependent claim 1 1 , Freeman-Benson does not specifically teach a database 
relating customer information to access patterns. However, Filepp taught the server system 
maintains a database relating customer information to access patterns (col. 93, lines 28-43). 
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43. As per dependent 12, Freeman-Benson does not specifically teach information that 
includes customer demographics. However, Filepp taught wherein the information includes 
customer demographics (col. 9, lines 38-44). 

44. Regarding dependent claim 24, Johnson taught a service request is for a document 
(request to open a file) and the session identifier includes a user identification (user id, col. 8, 
lines 10-11), further comprising: 

returning the requested document wherein the document (returning an opened file, col. 7, 
lines 46-53). Johnson does not specifically teach the document is customized for a particular user 
based on the user identification of the session identifier. However, Filepp taught the document is 
customized for a particular user based on the user identification of the session identifier (col. 9, 
lines 38-44). 

45. Regarding dependent claim 26, Johnson taught a service request is for a document 
(request to open a file) wherein the session identifier comprises a user identifier (user id, col. 8, 
10-11), further comprising: 

returning the requested document to the client (receiving open file, col. 7, lines 46-53). 
Johnson does not specifically teach charging the user identified in the identifier for access to the 
document. However, Filepp taught charging the user identified in the identifier for access to the 
document (col. 6, lines 57-61). 
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46. Regarding dependent claim 33, Johnson taught at least one service request comprises a 
request for a document (request to open file), wherein the session identifier is designated by the 
server system (credential id specified by server system), said method comprising : 

returning the requested document to the client (col. 5, lines 66 - col. 6, line 2). 

Johnson does not specifically teach charging the user identified in the session identifier 
for access to the document. However, Filepp taught charging the user identified in the session 
identifier for access to the document (col. 6, lines 57-61). 

47. Regarding dependent claim 34, Johnson taught a user identifier is encoded within a 
session identifier which is appended to the request (user id, col. 8, lines 10-11, inserted following 
request, col. 9, lines 33-39). 

48. Regarding dependent claim 55, Johnson does not specifically teach the step of appending 
the session identifier comprises filtering the requested document. However, Filepp taught 
filtering the requested document (filtering by customizing the document, col. 9, lines 38-44) 

49. Regarding dependent claim 76, Freeman-Benson does not specifically teach the 
document is customized for a particular based on user identification of the session identifier. 
However, Filepp taught the document is customized for a particular based on user identification 
of the session identifier (col. 9, lines 38-44). 

50. Regarding claims 7, 10-1 1, 24, 26, 33, 39-42, 55, 76, 78, 86, it would have been obvious 
to one of ordinary skill in the art at the time the invention was made that incorporating Filepp's 
tracking methodology in Freeman-Benson's system for accessing a private web database would 
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have improved system utility. The motivation would have been to increase the marketability and 
flexibility of Freeman-Benson's system by enabling the service providers to be more responsive 
to clients. 

51. Claims 15- 21, 63 and 75 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Freeman-Benson and Johnson further in view of Cheng et al., U.S. Patent No. 5,544,322 
(hereafter referred to as Cheng). 

52. Regarding dependent claim 15, Freeman-Benson does not specifically teach plural 
servers. However, Cheng taught plural servers including an authentication server which provides 
session identifier (credential id)s for service requests to multiple servers (Figure 2, col. 5). 

53. Regarding dependent claim 16, Johnson taught a method wherein a client directs a service 
request to a first server which is to provide the requested service; 

the first server checks the service request for a session identifier (credential id) and only 
services a request having a valid session identifier (credential id), 

and where the service request has no valid identifier, the first server redirects the service 
request from the client to the authorization server (authentication agent); 

the authorization server (authentication agent) subjects the client to the authorization 
routine and issues the session identifier (credential id) to be appended to the service request to 
the first server; 

the client forwards the service request appended with the session identifier (credential id) 
to the first server; 
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the first server recognizes the session identifier (credential id) and services the service 
request to the client; and, 

the client appends the session identifier (credential id) to subsequent service requests to 
the server system and is serviced without further authorization. Benson does not specifically 
teach an authorization server. However, Cheng taught a client, a first server, and an authorization 
server (Figure 2, col. 5). 

54. Regarding dependent claim 1 7, Johnson taught a method wherein the session identifier 
(credential id) includes a user identifier (col. 5, lines 56-60). 

55. Regarding dependent claim 18, Johnson taught the session identifier (credential id) has 
an expiration time. Johnson does not disclose the session identifier (credential id) includes an 
expiration time for the session. However, it would have been obvious to one of ordinary skill in 
the art to incorporate an expiration time for the session in session identifier (credential id) 
because including the expiration time in the session identifier (credential id) would increase 
efficiency by not requiring the server to request the expiration time before validating an 
authorization. 

56. Regarding dependent claim 19, Johnson taught the session identifier (credential id) 
provides access to a protected domain to which the session has access authorization (col. 13, 
lines 37-40). 

57. Regarding dependent claim 20, Johnson taught the session identifier is modified for 
access to a different protected domain (col. 8, lines 32-38). 
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58. Regarding dependent claim 21 , Johnson taught the session identifier (credential id) 
provides a key identifier for key management (col. 5, lines 56-60). 

59. Regarding dependent claim 63, Freeman-Benson does not specifically teach the 
authorization identifier is provided by an authentication server. However, Cheng taught the 
authorization identifier is provided by an authentication server (col. 5, lines 31-34, 36-39). 

60. Regarding dependent claim 75, Freeman-Benson does not specifically teach the session 
identifier facilitates authenticated accesses across multiple servers. However, Cheng taught the 
session identifier facilitates authenticated accesses across multiple servers (Figure 2, col. 5). 

61. Regarding claims , it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to incorporate Cheng's multiple server system in Freeman- 
Benson's system for accessing a private web database because doing so would have increased 
system utility. The motivation would have been to increase flexibility by enabling the service 
providers to authorize more clients to access protected domains. 

62. Claim 22 is rejected under 35 U.S.C. 1 03(a) as being unpatentable over Freeman- 
Benson, Johnson and Cheng further in view of Filepp. 

63. Regarding dependent claim 22, Freeman-Benson does not specifically teach a transaction 
log in the server system. However, Filepp taught a method wherein the server system records 
information from the session identifier (credential id) in a transaction log in the server system 
(col. 9, lines 38-44). It would have been obvious to one of ordinary skill in the art at the time the 
invention was made that incorporating Filepp' s tracking methodology in Freeman-Benson's 
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system for accessing a private web database would have improved system utility. The motivation 
would have been to increase the marketability and flexibility of Freeman-Benson's system by 
enabling the service providers to be more responsive to clients. 

64. Claims 96-98, 100, 103 and 105 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Freeman-Benson in view of Dedrick, U.S. Patent No. 5,768,521 (hereafter 
referred to as Dedrick). 

65. Regarding dependent claim 96, Freeman-Benson does not specifically teach how a user is 
charged. However, Dedrick taught servicing a request (col. 3, lines 50-56); and automatically 
charging a user identified by the session identifier for the service provided (col. 3, lines 60-63). 

66. Regarding dependent claim 97, Freeman-Benson does not specifically teach how a user 
makes a purchase request. However, Dedrick taught at least one service request comprises a 
purchase request (review of the request indicates the user is not a subscriber), the purchase 
request including an associated user identifier (request includes information identifying whether 
the user is a subscriber), the method further comprising: 

accessing, upon receipt of the purchase request at the server system, user information 
associated with the user identifier sufficient to charge an account associated with the user the 
purchase price of the product identified by the purchase request (col. 3, lines 31-41, 60-63); 

charging the user for the product identified by the purchase request according to the user 
information (col. 7, lines 29-35); and 

fulfilling the purchase request based on the user information (col. 7, lines 35-37). 
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67. Regarding dependent claim 98, Johnson taught the client includes the user identifier in a 
session identifier (user id, col. 8, lines 11-12). Freeman-Johnson taught the session identifier 
appended to the purchase request (request to purchase private information para 2, pg. ). 

68. Regarding dependent claim 100, Freeman-Benson does not specifically teach how the 
user makes a purchasing request. However, Dedrick taught under control of a client system, 

displaying information identifying a product (col. 7, lines 18-23); and 
in response to a user selection of a hyperlink (inherent, information distributed according 
to hypertext markup language, col. 4, lines 36-38) associated with a product desired to be 
purchased, sending a request to purchase the item along with an identifier of a purchaser of the 
item to a server system (id whether client is a subscriber, col. 7, lines 18-26); and 
under the control of the server system, 

upon receiving the request, retrieving additional information previously stored for the 
purchaser identified by the identifier in the received request (retrieving profile containing 
account information, col. 3, lines 31-41, 60-63); 

charging the user the purchase price of the product (metering server debits the user 
account, col. 7, lines 32-37); and 

fulfilling the request for the product (sending information, col. 7, lines 32-37). 

69. Regarding dependent claim 103, Freeman-Benson does not specifically teach how a user 
is charged. However, Dedrick taught identifying the user from the authorization identifier 
(identifying subscriber authorization, col. 3, lines 50-56); and 
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automatically charging the identified user for the document (col. 3, lines 60-63). 

70. Regarding dependent claim 105, Freeman-Benson does not specifically teach a physical 
copy of the document is sent. However, Dedrick taught a physical copy of the document is sent 
(through the purchasing options the user is able to retrieve requested information by printing, i.e. 
physical copy, col. 3, lines 25-27). 

71. Regarding claims 96, 97, 100, 103, 105, it would have been obvious to one of ordinary 
skill in the art at the time the invention was made that incorporating Dedrick' s metering 
mechanisms for charging users for electronic information in Freeman-Benson's system for 
accessing a private web database would have improved system effectiveness. The motivation 
would have to provide a mechanism to allow a system to automatically debit and bill a user for 
consuming requested electronic information from the web database (Dedrick, col. 1, lines 54-56). 

Statements concerning the remaining claims 

72. The language of claims 38-43 is substantially equivalent to the language of previously 
rejected claims 14, 7-8, 10-12. Therefore, claims 38-43 are rejected on the same rationale as 
claims 14, 7-8, 10-12, respectively. 

73. The language of claims 68 -74 is substantially equivalent to the language of previously 
rejected claims 56-62. Therefore, claims 68-74 are rejected on the same rationale as claims 56- 
62, respectively. 
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74. The language of claims 77-78 is substantially equivalent to the language of previously 
rejected claims 51 and 55. Therefore, claims 77-78 are rejected on the same rationale as claims 
51 and 55, respectively. 

75. The language of claims 80-93 is substantially equivalent to the language of previously 
rejected claims 49-62. Therefore, claims 80-93 are rejected on the same rationale as claims 49- 
62, respectively. 

Allowable Subject Matter 

76. Claims 99 and 107 are objected to as being dependent upon a rejected base claim, but 
would be allowable if rewritten in independent form including all of the limitations of the base 
claim and any intervening claims. 

77. The following is a statement of reasons for the indication of allowable subject matter: 
Claims 99 and 107 are objected to because the prior art of record fails to teach or suggest 

including a user identifier in a cookie or appending an authorization identifier to a cookie. 
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78. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Patrice Winder whose telephone number is (703) 305-3938. The 
examiner can normally be reached on Monday-Friday from 7:30 AM to 4:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh, can be reached on (703) 305-9648. The fax phone number for this 
Group is (703) 308-9052. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the Group receptionist whose telephone number is (703) 305-3900. 




Patrice Winder 
Patent Examiner 
Art Unit 2155 



